XACML Version 2.0 Conformance Tests (draft)

Contents

1. Description of Tests
   1. Test Case Groupings
   2. How to Use the Tests
   3. Preparing Tests for Execution
   4. Contributions of New Tests
   5. Bugs in the Tests
2. Mandatory-to-Implement Functionality Tests
   1. Attribute References
   2. Target Matching
   3. Function Evaluation
   4. Combining Algorithms
   5. Schema components
   6. XACML 2.0 new features
3. Optional, but Normative Functionality Tests
   1. Obligations
   2. DefaultsType
   3. Hierarchical Resources
   4. <ResourceContent> Element
   5. Multiple Decisions
   6. Attribute Selectors
   7. Non-mandatory Functions

Description of Tests

These tests are provided as an aid in achieving conformance to the eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard. The tests may aid in determining whether an implementation is correctly interpreting the intent of the XACML Version 2.0 specification, and may provide a basic level of interoperability testing.

These tests are non-normative and do not constitute a full test of conformance to the XACML Version 2.0 Standard. A full description of the requirements for conformance is included in Section 10. Conformance of the XACML Version 2.0 specification. There is no OASIS- or XACML TC- sponsored branding or certification program for XACML.

IMPORTANT NOTE

The tests in this suite were converted to comply with XACML 2.0 from the conformance test suite for XACML 1.0 and 1.1. Conversion was done by using pattern matching/replacement scripts. All tests passed schema validation sucessfully against normative schemas for Context and Policy of XACML 2.0.

History of changes since XACML 2.0

Version 0.1

• empty Target element is allowed in XACML 2.0
• AnySubject and other Any* elements in the Target are not allowed in XACML 2.0
• Environment element is required in Target for Request in XACML 2.0
• FunctionId is not allowed in Condition element in XACML 2.0
• IssueInstant attribute is not allowed in Attribute in XACML 2.0
• IIIASpecial.txt is removed, because AttributeAssignment element has AttributeValue in XACML 2.0.
• IIIGSpecial.txt is removed, because in XACML 2.0 it's defined that <xacml-context:Request> is the context node for xpath expressions.
Version 0.2

• Remove DataType attribute from AttributeValue elements in *Request.xml files. Data types should be specified in the parent Attribute element.
• Replace regexp-string-match in *Policy.xml files with string-regexp-match. In XACML 2.0 this function's urn was changed to make it more consistent with names of similar functions. Thanks to Ryan Eberhard for reporting this discrepancy in the test suite.
Version 0.3

• Fix typos in policy combining algorithm urns. These typos were a result of a bug in the scripts, which were used to convert XACML 1.0 conformance tests to XACML 2.0. Thanks to Ryan Eberhard for reporting this bug in the test suite.
Version 0.4

• IIC086-IIC091: change some attribute types to string.
• IIA004, IIA005 - these files contained intentional errors, which were accidentally "fixed" when converting to xacml 2.0. Errors are reintroduced.
• IID029, IID030, IIE001, IIE002 - these files were not converted properly to to xacml 2.0: Condition had FunctionId attribute. This bug was first reported by Frederic Deleon.
Version 0.4

• IIF001: new test for Variable feature.

Test Case Groupings

Tests are divided into those that exercise Mandatory-to-Implement functionality and those that exercise Optional, but normative functionality. All implementations that claim conformance to the eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard MUST support all Mandatory-to-Implement functionality as described in the XACML Version 2.0 specification. Conforming implementations MAY additionally support various Optional functionality areas.

Tests are divided into groups based on the primary area of functionality or schema being exercised.

Each test case consists of three XML documents (or sets of documents):

1. An XACML Request
2. An XACML Policy or set of Policy documents
3. An XACML Response

Each XML document is named according to the section of this document in which it occurs. For example, the XML documents for the test in Part II (Mandatory to implement), Section B (Target Matching), Test Case 8 (Case: match: multiple actions) are named:

• IIB008Request.xml
• IIB008Policy.xml
• IIB008Response.xml

How to Use the Tests

An implementation of an XACML Policy Decision Point (PDP) should be able to:
1. Accept the given Request, or input consistent with the given Request, as input.
2. Accept the given Policy or Policies (these files may contain one or more XACML Policies or PolicySets) as input.
3. Produce the given Response, or output consistent with the given Response, as output.

Explanation of consistent with:

The request and response used in executing these tests need not be instances of the XACML Context Schema. The request and response should, however, contain exactly the same information as the given Request and Response file, and should exercise the XACML policy evaluation functionality that the test is intended to exercise. It should be possible, at least conceptually, to mechanically convert the request and response used in the implementation to the given XACML Request and Response instances.

Preparing Tests for Execution

In general, for each test,
1. Either,
   1. store the *Policy.xml file for the given test in the repository you use for policies, such that the specified *Policy.xml is the only policy that will be retrieved by the PDP, or
   2. configure the PDP with the *Policy.xml file as its initial policy.

2. Send the *Request.xml file (or its semantic equivalent in your system) to the Context Handler component of the XACML PDP via your access control decision request API.

3. Compare the result returned from the PDP with the specified *Response.xml file (or its semantic equivalent in your system).

4. The test passes if your system's result is semantically equivalent to the specified *Response.xml file.

Some of the tests have special instructions associated with them. They modify the instructions given above for the given test.

Contributions of New Tests

Any XACML implementer may contribute additional conformance tests by submitting them to the xacml-comment@lists.oasis-open.org mailing list. Such contributions will be incorporated into the test suite on the next update.

While this suite of tests is non-normative, we hope the suite will represent a general consensus as to the intent of the XACML Version 2.0 Standard. For this reason, contributed tests are marked **EXPERIMENTAL** until the tests have undergone successful review and use, defined as follows:

1. a reasonable review period has elapsed since submission, and
2. several implementers have reported successful execution of these tests to xacml-comment@lists.oasis-open.org, and
3. no objections to the test have been reported to the xacml-comment mailing list.

Once the tests have undergone successful review and use, then the **EXPERIMENTAL** status will be removed.

If an objection is reported on the xacml-comment mailing list to an **EXPERIMENTAL** test during the review period, then the test will be removed from the test suite on the next update unless the XACML TC upholds the objection. It is up to the test submitter to request review by the TC, and it is up to the TC to decide whether or not to review a test.

If an objection is reported to a test that is no longer **EXPERIMENTAL**, the objection is treated as a bug. See Bugs in the Tests for a description of how bugs are handled.

Bugs in the Tests

Following are the known bugs:
1. The <Description> in many *Policy.xml files is incorrect: instead of "read or write Bart Simpson's medical record", the description should say "perform any action on any resource".

If you believe any test does not correctly interpret the intent of the eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard, or if you find any additional errors in these tests, please submit a report to the xacml-comment@lists.oasis-open.org mailing list. Absent any objections to a bug report, minor bugs may be fixed at the test editor's discretion in the next test suite update.

Major or controversial bugs reported against non-**EXPERIMENTAL** tests will be reviewed by the XACML TC. If the TC agrees that the test does not conform to the intent of the XACML Version 2.0 Standard, then the test will be modified or removed as appropriate on the next test suite update.

Major or controversial bugs reported against tests marked **EXPERIMENTAL** will be treated as an objection to the test. See Contributions of New Tests for the handling of such objections.

Periodically, an updated copy of the entire Conformance Test Suite, containing all corrections to date, will be posted to the XACML TC Web Site.

---

Mandatory-to-Implement Functionality Tests

This section contains tests of all mandatory-to-implement functionality. All implementations that conform to the XACML Version 2.0 Standard should pass all these tests except as explained in any associated Special Instructions (<test ID>Special.txt) file.

Attribute References

These tests exercise referencing of attribute values in the Request by a policy.
1. Case: Simple type attribute element present in Request Request,Policy,Response
2. Case: Simple type attribute element not present in original decision Request, but retrievable from Attribute repository Request,Policy,Response, Special Instructions
3. Case: Simple type attribute element not present in Request and not retrievable by Attribute Authority Request,Policy,Response
4. Case: INVALID syntax for Attribute Designator Request,Policy,Response,Special Instructions
5. Case: INVALID syntax for Request attribute Request,Policy,Response
6. Case: TRUE: "MustBePresent" XML attribute in Target Designator Request,Policy,Response
7. Case: FALSE: "MustBePresent" XML attribute in Target Designator Request,Policy,Response
8. Case: TRUE: "MustBePresent" XML attribute in Condition Designator Request,Policy,Response
9. Case: FALSE: "MustBePresent" XML attribute in Condition Designator Request,Policy,Response
10. Case: Permit: Multiple attributes match except for DataType Request,Policy,Response
11. Case: Indeterminate: Multiple attributes match except for DataType Request,Policy,Response
12. Case: Permit: Multiple subjects with same subject-category: different attribute in each Request,Policy,Response
13. Case: Indeterminate: Multiple subjects with same subject-category: same attributes in each Request,Policy,Response
14. Case: Permit: SubjectAttributeDesignator with SubjectCategory XML attribute Request,Policy,Response
15. Case: Permit: SubjectAttributeDesignator without SubjectCategory XML attribute Request,Policy,Response
16. Case: explicit environment:current-time attribute. Updates: Rule description is modified to match the condition. Aug 11, 2005 - Argyn Kuketayev. Request,Policy,Response
17. Case: implicit environment:current-time attribute Request,Policy,Response
18. Case: explicit environment:current-date attribute Request,Policy,Response
19. Case: implicit environment:current-date attribute Request,Policy,Response
20. Case: explicit environment:current-dateTime attribute Request,Policy,Response
21. Case: implicit environment:current-dateTime attribute Request,Policy,Response

Target Matching

These tests exercise various forms of Target matching.
1. Case: match: anySubject, anyResource, anyAction Request,Policy,Response

2. Case: match: anySubject, anyResource, specified Action value Request,Policy,Response
3. Case: no match: anySubject, anyResource, specified Action value Request,Policy,Response
4. Case: match: anySubject, anyResource, two specified Action attributes Request,Policy,Response
5. Case: no match: anySubject, anyResource, two specified Action attributes Request,Policy,Response
6. Case: match: impliedAction Request,Policy,Response
7. Case: no match: impliedAction Request,Policy,Response
8. Case: match: multiple actions Request,Policy,Response
9. Case: no match: multiple actions Request,Policy,Response

10. Case: match: Subject with specific SubjectCategory Request,Policy,Response
11. Case: no match: Subject with specific SubjectCategory Request,Policy,Response
12. Case: match: Subject with specific SubjectId value Request,Policy,Response
13. Case: no match: Subject with specific SubjectID value Request,Policy,Response
14. Case: match: Subject with non-string SubjectId DataType and value Request,Policy,Response
15. Case: no match: Subject with non-string SubjectId DataType and value Request,Policy,Response
16. Case: match: Subject with specific KeyInfo value Request,Policy,Response
17. Case: no match: Subject with specific KeyInfo value Request,Policy,Response
18. Case: match: Subject AttributeId Request,Policy,Response
19. Case: no match: Subject AttributeId Request,Policy,Response
20. Case: match: Subject AttributeId and Issuer Request,Policy,Response
21. Case: no match: Subject AttributeId and Issuer Request,Policy,Response
22. Case: match: Subject AttributeId and IssueInstant Request,Policy,Response
23. Case: no match: Subject AttributeId and IssueInstant Request,Policy,Response
24. Case: match: Subject AttributeId, Issuer, and IssueInstant Request,Policy,Response
25. Case: no match: Subject AttributeId, Issuer, and IssueInstant Request,Policy,Response
26. Case: match: Subject identifier value and attribute value Request,Policy,Response
27. Case: no match: Subject identifier value and attribute value Request,Policy,Response
28. Case: match: multiple Subjects Request,Policy,Response
29. Case: no match: multiple Subjects Request,Policy,Response

30. Case: match: ResourceId Request,Policy,Response
31. Case: no match: ResourceId Request,Policy,Response
32. Case: match: ResourceId with specific DataType Request,Policy,Response
33. Case: no match: ResourceId with specific DataType Request,Policy,Response
34. Case: match: Resource AttributeId Request,Policy,Response
35. Case: no match: Resource AttributeId Request,Policy,Response
36. Case: match: Resource AttributeId and Issuer Request,Policy,Response
37. Case: no match: Resource AttributeId and Issuer Request,Policy,Response
38. Case: match: Resource AttributeId and IssueInstant Request,Policy,Response
39. Case: no match: Resource AttributeId and IssueInstant Request,Policy,Response
40. Case: match: Resource AttributeId, Issuer, and IssueInstant Request,Policy,Response
41. Case: no match: Resource AttributeId, Issuer, and IssueInstant Request,Policy,Response
42. Case: match: Resource identifier value and attribute value Request,Policy,Response
43. Case: no match: Resource identifier value and attribute value Request,Policy,Response
44. Case: match: multiple resources Request,Policy,Response
45. Case: no match: multiple resources Request,Policy,Response

46. Case: match: specified Subject and Resource Request,Policy,Response
47. Case: no match: specified Subject and Resource Request,Policy,Response
48. Case: match: specified Subject, Action Request,Policy,Response
49. Case: no match: specified Subject, Action Request,Policy,Response
50. Case: match: specified Resource, Action Request,Policy,Response
51. Case: no match: specified Resource, Action Request,Policy,Response
52. Case: match: specified Subject, Resource, Action Request,Policy,Response
53. Case: no match: specified Subject, Resource, Action Request,Policy,Response

Function Evaluation

These tests exercise each of the mandatory-to-implement functions.
GENERAL APPLY TESTS
1. Case: Apply with Apply argument Request,Policy,Response
2. Case: Apply with AttributeValue argument Request,Policy,Response
3. Case: Apply with single-element bag where function expects primitive type Request, Policy, Response, Special Instructions
4. Case: Apply with SubjectAttributeDesignator argument Request,Policy,Response
5. Case: Apply with ResourceAttributeDesignator argument Request,Policy,Response
6. Case: Apply with ActionAttributeDesignator argument Request,Policy,Response
7. Case: Apply with EnvironmentAttributeDesignator argument Request,Policy,Response
8. Case: Apply with empty bag argument Request,Policy,Response
9. Case: Apply with multiple-element bag argument Request,Policy,Response
10. Case: true: Condition Evaluation Request,Policy,Response
11. Case: false: Condition Evaluation Request,Policy,Response
12. Case: ERROR: Condition Evaluation - non-boolean datatype Request,Policy,Response, Special Instructions

    ARITHMETIC FUNCTIONS

13. Case: function:integer-add Request,Policy,Response
14. Case: ERROR: function:integer-add - non-integer datatype Request,Policy,Response, Special Instructions
15. Case: function:double-add Request,Policy,Response
16. Case: function:integer-subtract Request,Policy,Response
17. Case: function:double-subtract Request,Policy,Response
18. Case: function:integer-multiply Request,Policy,Response
19. Case: function:double-multiply Request,Policy,Response
20. Case: function:integer-divide Request,Policy,Response
21. Case: function:double-divide Request,Policy,Response
22. Case: function:integer-mod Request,Policy,Response
23. Case: function:double-mod: IIC023*.xml: TEST DELETED
24. Case: function:round Request,Policy,Response
25. Case: function:floor Request,Policy,Response
26. Case: function:integer-abs Request,Policy,Response
27. Case: function:double-abs Request,Policy,Response

    ARITHMETIC CONVERSION FUNCTIONS

28. Case: function:double-to-integer Request,Policy,Response
29. Case: function:integer-to-double Request,Policy,Response

    EQUALITY FUNCTIONS

30. Case: true: function:integer-equal Request,Policy,Response
31. Case: false: function:integer-equal Request,Policy,Response
32. Case: true: function:double-equal Request,Policy,Response
33. Case: false: function:double-equal Request,Policy,Response
34. Case: true: function:boolean-equal Request,Policy,Response
35. Case: false: function:boolean-equal Request,Policy,Response
36. Case: true: function:string-equal Request,Policy,Response
37. Case: false: function:string-equal Request,Policy,Response
38. Case: true: function:rfc822Name-equal Request,Policy,Response
39. Case: false: function:rfc822Name-equal Request,Policy,Response
40. Case: true: function:x500Name-equal Request,Policy,Response
41. Case: false: function:x500Name-equal Request,Policy,Response
42. Case: true: function:date-equal Request,Policy,Response
43. Case: false: function:date-equal Request,Policy,Response
44. Case: true: function:time-equal Request,Policy,Response
45. Case: false: function:time-equal Request,Policy,Response
46. Case: true: function:dateTime-equal Request,Policy,Response
47. Case: false: function:dateTime-equal Request,Policy,Response
48. Case: true: function:hexBinary-equal Request,Policy,Response
49. Case: false: function:hexBinary-equal Request,Policy,Response
50. Case: true: function:base64Binary-equal Request,Policy,Response
51. Case: false: function:base64Binary-equal Request,Policy,Response
52. Case: true: function:anyURI-equal Request,Policy,Response
53. Case: false: function:anyURI-equal Request,Policy,Response
54. Case: true: function:QName-equal: IIC054*.xml: TEST DELETED
55. Case: false: function:QName-equal: IIC055*.xml: TEST DELETED

    See also DURATION-EQUALS TESTS below.

    String-regexp-match FUNCTION

56. Case: true: function:string-regexp-match Request,Policy,Response
57. Case: false: function:string-regexp-match Request,Policy,Response

    COMPARISON FUNCTIONS: GREATER THAN, GREATER THAN OR EQUAL

58. Case: true: function:integer-greater-than Request,Policy,Response
59. Case: false: function:integer-greater-than Request,Policy,Response
60. Case: true: function:double-greater-than Request,Policy,Response
61. Case: false: function:double-greater-than Request,Policy,Response
62. Case: true: function:string-greater-than Request,Policy,Response
63. Case: false: function:string-greater-than Request,Policy,Response
64. Case: true: function:date-greater-than Request,Policy,Response
65. Case: false: function:date-greater-than Request,Policy,Response
66. Case: true: function:time-greater-than Request,Policy,Response
67. Case: false: function:time-greater-than Request,Policy,Response
68. Case: true: function:dateTime-greater-than Request,Policy,Response
69. Case: false: function:dateTime-greater-than Request,Policy,Response
70. Case: true: function:integer-greater-than-or-equal Request,Policy,Response
71. Case: false: function:integer-greater-than-or-equal Request,Policy,Response
72. Case: true: function:double-greater-than-or-equal Request,Policy,Response
73. Case: false: function:double-greater-than-or-equal Request,Policy,Response
74. Case: true: function:string-greater-than-or-equal Request,Policy,Response
75. Case: false: function:string-greater-than-or-equal Request,Policy,Response
76. Case: true: function:date-greater-than-or-equal Request,Policy,Response
77. Case: false: function:date-greater-than-or-equal Request,Policy,Response
78. Case: true: function:time-greater-than-or-equal Request,Policy,Response
79. Case: false: function:time-greater-than-or-equal Request,Policy,Response
80. Case: true: function:dateTime-greater-than-or-equal Request,Policy,Response
81. Case: false: function:dateTime-greater-than-or-equal Request,Policy,Response

    rfc822Name and x500Name MATCHING FUNCTIONS

82. Case: true: function:rfc822Name-match Request,Policy,Response
83. Case: false: function:rfc822Name-match Request,Policy,Response
84. Case: true: function:x500Name-match Request,Policy,Response
85. Case: false: function:x500Name-match Request,Policy,Response

    LOGICAL FUNCTIONS

86. Case: true: function:and Request,Policy,Response
87. Case: false: function:and Request,Policy,Response
88. Case: true: function:ordered-and: IIC088*.xml: TEST DELETED
89. Case: false: function:ordered-and: IIC089*.xml: TEST DELETED
90. Case: true: function:or Request,Policy,Response
91. Case: false: function:or Request,Policy,Response
92. Case: true: function:ordered-or: IIC092*.xml: TEST DELETED
93. Case: false: function:ordered-or: IIC093*.xml: TEST DELETED
94. Case: true: function:n-of Request,Policy,Response
95. Case: false: function:n-of Request,Policy,Response
96. Case: true: function:not Request,Policy,Response
97. Case: false: function:not Request,Policy,Response
98. Case: true: function:present: IIC098*.xml: TEST DELETED
99. Case: false: function:present: IIC099*.xml: TEST DELETED

    STRING NORMALIZATION FUNCTIONS

100. Case: function:string-normalize-space Request,Policy,Response
101. Case: function:string-normalize-to-lower-case Request,Policy,Response

     DURATION FUNCTIONS

102. Case: function:dateTime-add-dayTimeDuration Request,Policy,Response
103. Case: function:dateTime-add-yearMonthDuration Request,Policy,Response
104. Case: function:dateTime-subtract-dayTimeDuration Request,Policy,Response
105. Case: function:dateTime-subtract-yearMonthDuration Request,Policy,Response
106. Case: function:date-add-yearMonthDuration Request,Policy,Response
107. Case: function:date-subtract-yearMonthDuration Request,Policy,Response

     See also DURATION-EQUALS TESTS below.

     COMPARISON FUNCTIONS: LESS THAN, LESS THAN OR EQUAL

108. Case: function:string-less-than Request,Policy,Response
109. Case: function:string-less-than-or-equal Request,Policy,Response
110. Case: function:integer-less-than Request,Policy,Response
111. Case: function:double-less-than Request,Policy,Response
112. Case: function:integer-less-than-or-equal Request,Policy,Response
113. Case: function:double-less-than-or-equal Request,Policy,Response
114. Case: function:time-less-than Request,Policy,Response
115. Case: function:time-less-than-or-equal Request,Policy,Response
116. Case: function:dateTime-less-than Request,Policy,Response
117. Case: function:dateTime-less-than-or-equal Request,Policy,Response
118. Case: function:date-less-than Request,Policy,Response
119. Case: function:date-less-than-or-equal Request,Policy,Response

     BAG FUNCTIONS

120. Case: function:string-bag-size Request,Policy,Response
121. Case: function:string-bag Request,Policy,Response
122. Case: function:boolean-one-and-only Request,Policy,Response
123. Case: function:boolean-bag-size Request,Policy,Response
124. Case: function:boolean-is-in Request,Policy,Response
125. Case: function:boolean-bag Request,Policy,Response
126. Case: function:integer-bag-size Request,Policy,Response
127. Case: function:integer-is-in Request,Policy,Response
128. Case: function:integer-bag Request,Policy,Response
129. Case: function:double-bag-size Request,Policy,Response
130. Case: function:double-is-in Request,Policy,Response
131. Case: function:double-bag Request,Policy,Response
132. Case: function:date-bag-size Request,Policy,Response
133. Case: function:date-is-in Request,Policy,Response
134. Case: function:date-bag Request,Policy,Response
135. Case: function:time-bag-size Request,Policy,Response
136. Case: function:time-is-in Request,Policy,Response
137. Case: function:time-bag Request,Policy,Response
138. Case: function:dateTime-bag-size Request,Policy,Response
139. Case: function:dateTime-is-in Request,Policy,Response
140. Case: function:dateTime-bag Request,Policy,Response
141. Case: function:anyURI-bag-size Request,Policy,Response
142. Case: function:anyURI-is-in Request,Policy,Response
143. Case: function:anyURI-bag Request,Policy,Response
144. Case: function:hexBinary-bag-size Request,Policy,Response
145. Case: function:hexBinary-is-in Request,Policy,Response
146. Case: function:hexBinary-bag Request,Policy,Response
147. Case: function:base64Binary-bag-size Request,Policy,Response
148. Case: function:base64Binary-is-in Request,Policy,Response
149. Case: function:base64Binary-bag Request,Policy,Response
150. Case: function:dayTimeDuration-one-and-only Request,Policy,Response
151. Case: function:dayTimeDuration-bag-size Request,Policy,Response
152. Case: function:dayTimeDuration-is-in Request,Policy,Response
153. Case: function:dayTimeDuration-bag Request,Policy,Response
154. Case: function:yearMonthDuration-one-and-only Request,Policy,Response
155. Case: function:yearMonthDuration-bag-size Request,Policy,Response
156. Case: function:yearMonthDuration-is-in Request,Policy,Response
157. Case: function:yearMonthDuration-bag Request,Policy,Response
158. Case: function:x500Name-bag-size Request,Policy,Response
159. Case: function:x500Name-is-in Request,Policy,Response
160. Case: function:x500Name-bag Request,Policy,Response
161. Case: function:rfc822Name-bag-size Request,Policy,Response
162. Case: function:rfc822Name-is-in Request,Policy,Response
163. Case: function:rfc822Name-bag Request,Policy,Response

     HIGHER-ORDER BAG FUNCTIONS

164. Case: function:any-of Request,Policy,Response
165. Case: function:all-of Request,Policy,Response
166. Case: function:any-of-any Request,Policy,Response
167. Case: function:all-of-any Request,Policy,Response
168. Case: function:any-of-all Request,Policy,Response
169. Case: function:all-of-all Request,Policy,Response
170. Case: function:map Request,Policy,Response

     SET FUNCTIONS

171. Case: function:string-intersection Request,Policy,Response
172. Case: function:string-at-least-one-member-of Request,Policy,Response
173. Case: function:string-union Request,Policy,Response
174. Case: function:string-subset Request,Policy,Response
175. Case: function:string-set-equals Request,Policy,Response
176. Case: function:boolean-intersection Request,Policy,Response
177. Case: function:boolean-at-least-one-member-of Request,Policy,Response
178. Case: function:boolean-union Request,Policy,Response
179. Case: function:boolean-subset Request,Policy,Response
180. Case: function:boolean-set-equals Request,Policy,Response
181. Case: function:integer-intersection Request,Policy,Response
182. Case: function:integer-at-least-one-member-of Request,Policy,Response
183. Case: function:integer-union Request,Policy,Response
184. Case: function:integer-subset Request,Policy,Response
185. Case: function:integer-set-equals Request,Policy,Response
186. Case: function:double-intersection Request,Policy,Response
187. Case: function:double-at-least-one-member-of Request,Policy,Response
188. Case: function:double-union Request,Policy,Response
189. Case: function:double-subset Request,Policy,Response
190. Case: function:double-set-equals Request,Policy,Response
191. Case: function:date-intersection Request,Policy,Response
192. Case: function:date-at-least-one-member-of Request,Policy,Response
193. Case: function:date-union Request,Policy,Response
194. Case: function:date-subset Request,Policy,Response
195. Case: function:date-set-equals Request,Policy,Response
196. Case: function:time-intersection Request,Policy,Response
197. Case: function:time-at-least-one-member-of Request,Policy,Response
198. Case: function:time-union Request,Policy,Response
199. Case: function:time-subset Request,Policy,Response
200. Case: function:time-set-equals Request,Policy,Response
201. Case: function:dateTime-intersection Request,Policy,Response
202. Case: function:dateTime-at-least-one-member-of Request,Policy,Response
203. Case: function:dateTime-union Request,Policy,Response
204. Case: function:dateTime-subset Request,Policy,Response
205. Case: function:dateTime-set-equals Request,Policy,Response
206. Case: function:anyURI-intersection Request,Policy,Response
207. Case: function:anyURI-at-least-one-member-of Request,Policy,Response
208. Case: function:anyURI-union Request,Policy,Response
209. Case: function:anyURI-subset Request,Policy,Response
210. Case: function:anyURI-set-equals Request,Policy,Response
211. Case: function:x500Name-intersection Request,Policy,Response
212. Case: function:x500Name-at-least-one-member-of Request,Policy,Response
213. Case: function:x500Name-union Request,Policy,Response
214. Case: function:x500Name-subset Request,Policy,Response
215. Case: function:x500Name-set-equals Request,Policy,Response
216. Case: function:rfc822Name-intersection Request,Policy,Response
217. Case: function:rfc822Name-at-least-one-member-of Request,Policy,Response
218. Case: function:rfc822Name-union Request,Policy,Response
219. Case: function:rfc822Name-subset Request,Policy,Response
220. Case: function:rfc822Name-set-equals Request,Policy,Response
221. Case: function:hexBinary-intersection Request,Policy,Response
222. Case: function:hexBinary-at-least-one-member-of Request,Policy,Response
223. Case: function:hexBinary-union Request,Policy,Response
224. Case: function:hexBinary-subset Request,Policy,Response
225. Case: function:hexBinary-set-equals Request,Policy,Response
226. Case: function:base64Binary-intersection Request,Policy,Response
227. Case: function:base64Binary-at-least-one-member-of Request,Policy,Response
228. Case: function:base64Binary-union Request,Policy,Response
229. Case: function:base64Binary-subset Request,Policy,Response
230. Case: function:base64Binary-set-equals Request,Policy,Response

     DURATION-EQUALS TESTS

231. Case: function:dayTimeDuration-equals
     **EXPERIMENTAL**
     Contributed by Anne Anderson <Anne.Anderson@Sun.COM>. Added to this test suite 27 February 2003.
     Request,Policy,Response
232. Case: function:yearMonthDuration-equals
     **EXPERIMENTAL**
     Contributed by Anne Anderson <Anne.Anderson@Sun.COM>. Added to this test suite 27 February 2003.
     Request,Policy,Response

Combining Algorithms

These tests exercise each of the mandatory Combining Algorithms.
1. Case: Permit: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
2. Case: Deny: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
3. Case: NotApplicable: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
4. Case: Indeterminate: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
5. Case: Permit: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
6. Case: Deny: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
7. Case: NotApplicable: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
8. Case: Another Deny (can't return Indeterminate): PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
9. Case: Permit: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
10. Case: Deny: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
11. Case: NotApplicable: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
12. Case: Indeterminate: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
13. Case: Permit: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
14. Case: Deny: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
15. Case: NotApplicable: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
16. Case: Indeterminate: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
17. Case: Permit: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
18. Case: Deny: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
19. Case: NotApplicable: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
20. Case: Indeterminate: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
21. Case: Permit: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
22. Case: Deny: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
23. Case: NotApplicable: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
24. Case: Indeterminate: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
25. Case: Permit: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
26. Case: Deny: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
27. Case: NotApplicable: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
28. Case: Indeterminate: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
29. Case: Permit: Multiple initial policies, but only one applies Request, Policy1, Policy2, Response, Special Instructions
30. Case: Indeterminate: Multiple initial policies, more than one applies Request, Policy1, Policy2, Response, Special Instructions

Schema components

This section lists test cases for certain elements of the schema not exercised by test cases above.
1. Case: policy element PolicySetIdReference Request,Policy,PolicyId1,PolicySetId1,Response,Special Instructions
2. Case: policy element PolicyIdReference Request,Policy,PolicyId1,PolicySetId1,Response,Special Instructions
3. Case: PolicyIdReference to invalid, but non-evaluated, Policy
   **EXPERIMENTAL**
   Contributed by Anne Anderson <Anne.Anderson@Sun.COM>. Added to this test suite 27 February 2003.
   Request,Policy,PolicyId1,PolicyId2,Response,Special Instructions

XACML 2.0 new features

This section lists test cases for certain new features introduced in XACML 2.0 specification.
1. Case: policy element PolicySetIdReference **EXPERIMENTAL**
   Contributed by Argyn Kuketayev. Added to this test suite 13 October 2005.
   Request,Policy,Response,

---

Optional, but Normative Functionality Tests

These tests exercise areas of functionality that are not mandatory-to-implement, but that are normative when implemented. Submissions of tests for this section are invited.

Obligations

These tests exercise obligations (Special Instructions).

For rule combining algorithms:

1. Case: Permit: RuleCombiningAlgorithm DenyOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
2. Case: Deny: RuleCombiningAlgorithm DenyOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
3. Case: NotApplicable: RuleCombiningAlgorithm DenyOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
4. Case: Indeterminate: RuleCombiningAlgorithm DenyOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
5. Case: Permit: RuleCombiningAlgorithm PermitOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
6. Case: Deny: RuleCombiningAlgorithm PermitOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
7. Case: NotApplicable: RuleCombiningAlgorithm PermitOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
8. Case: Indeterminate: RuleCombiningAlgorithm PermitOverrides
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
9. Case: Permit: RuleCombiningAlgorithm FirstApplicable
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
   Request,Policy,Response
10. Case: Deny: RuleCombiningAlgorithm FirstApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
11. Case: NotApplicable: RuleCombiningAlgorithm FirstApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
12. Case: Indeterminate: RuleCombiningAlgorithm FirstApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response

    For policy combining algorithms:

13. Case: Permit: PolicyCombiningAlgorithm DenyOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
14. Case: Deny: PolicyCombiningAlgorithm DenyOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
15. Case: NotApplicable: PolicyCombiningAlgorithm DenyOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
16. Case: AnotherDeny (can't return Indeterminate): PolicyCombiningAlgorithm DenyOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
17. Case: Permit: PolicyCombiningAlgorithm PermitOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
18. Case: Deny: PolicyCombiningAlgorithm PermitOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
19. Case: NotApplicable: PolicyCombiningAlgorithm PermitOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
20. Case: Indeterminate: PolicyCombiningAlgorithm PermitOverrides
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
21. Case: Permit: PolicyCombiningAlgorithm FirstApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
22. Case: Deny: PolicyCombiningAlgorithm FirstApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
23. Case: NotApplicable: PolicyCombiningAlgorithm FirstApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
24. Case: Indeterminate: PolicyCombiningAlgorithm FirstApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
25. Case: Permit: PolicyCombiningAlgorithm OnlyOneApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
26. Case: Deny: PolicyCombiningAlgorithm OnlyOneApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
27. Case: NotApplicable: PolicyCombiningAlgorithm OnlyOneApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response
28. Case: Indeterminate: PolicyCombiningAlgorithm OnlyOneApplicable
    **EXPERIMENTAL**
    Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 11 March 2003, updated 25 March 2004 (fixed a bug reported by Seth Proctor).
    Request,Policy,Response

DefaultsType

1. Case: PolicySetDefaults XPathVersion
2. Case: PolicyDefaults XPathVersion
3. Case: PolicyDefaults XPathVersion differs from parent PolicySetDefaults XPathVersion

Hierarchical Resources

These tests exercise policy evaluation for hierarchical resources (Special Instructions).

1. Case: Scope="Immediate"
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 26 February 2003.
   Request,Policy,Response
2. Case: Scope="Children"
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 26 February 2003.
   Request,Policy,Response
3. Case: Scope="Descendants"
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 26 February 2003.
   Request,Policy,Response

<ResourceContent> Element

Multiple Decisions

Attribute Selectors

These tests exercise attribute selectors (Special Instructions).

1. Case: PRESENT: "MustBePresent" attribute in Target Attribute Selector
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003
   Request,Policy,Response
2. Case: MISSING: "MustBePresent" attribute in Target Attribute Selector
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
   Fix/modification for IIIF002Request.xml contributed by John Merrells <merrells@jiffysoftware.com>. Added to this test suite 11 March 2003.
   Request,Policy,Response
3. Case: PRESENT: "MustBePresent" attribute in Condition Attribute Selector
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
   Request,Policy,Response
4. Case: MISSING: "MustBePresent" attribute in Condition Attribute Selector
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
   Request,Policy,Response
5. Case: Syntax error in XPath expression
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003, updated 2 March 2004 (fixed a bug reported by Jin Peng).
   Request,Policy,Response
6. Case: Attribute Selector in PolicySet Target
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 11 March 2003.
   Request,Policy,Response
7. Case: Relative XPath expressions in Attribute Selector
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 21 March 2003.
   Request,Policy,Response

Non-mandatory Functions

These tests exercise each of the non-mandatory functions

1. Case: xpath-node-count
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
   Request,Policy,Response
2. Case: true: xpath-node-equal
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
   Request,Policy,Response
3. Case: false: xpath-node-equal
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
   Request,Policy,Response
4. Case: true: xpath-node-match
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
   Request,Policy,Response
5. Case: false: xpath-node-match
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 4 March 2003, updated 19 August 2003.
   Request,Policy,Response
6. Case: Relative XPath expressions in XPath-based functions
   **EXPERIMENTAL**
   Contributed by Satoshi Hada <SATOSHIH@jp.ibm.com>. Added to this test suite 21 March 2003, updated 19 August 2003.
   Request,Policy,Response,Special Instructions

---